[systemd-devel] [PATCH] add keyscript support to cryptsetup
Lennart Poettering
lennart at poettering.net
Mon Jul 9 14:56:51 PDT 2012
On Mon, 09.07.12 23:14, Tollef Fog Heen (tfheen at err.no) wrote:
>
> ]] Lennart Poettering
>
> > I wonder what the precise usecases for this are, and whether we can't
> > find better solutions for these usecases... I mean, we already have the
> > password agent logic, that is asynchronous, and way more powerful:
>
> It's also much harder to write something for.
>
> A use case for keyscript is something like
> https://github.com/tfheen/ykfde/blob/master/helper which (while not
> really a keyscript as it is) implements integration with Yubikeys. Doing
> that with the full password agent proposal is much, much harder and
> doesn't really gain us anything in this case.
Well, but this script is very racy as it expects yubikeys to be
instantly available at boot. This really needs to be async and watch
both for yubikeys as they are plugged in and for new passwords as they
are queired. Also this script expects an interactive console, which is
extra racy...
I am fully aware that writing proper agents is harder than scripting things,
but it is also, well, much more correct.
Given that I actually own a yubikey (which i don't use), I am actually
tempted to fix this properly. Would be really cool to use that for LUKS
decryption.
Lennart
--
Lennart Poettering - Red Hat, Inc.
More information about the systemd-devel
mailing list